Configuring an Authoritative Time Server with Group Policy Using WMI Filtering

Hello everyone, Brian Singleton here. Here’s a question I often get from customer regarding Windows Time:

“Is there a way I can configure the Windows Time settings via Group Policy and have it only apply to the domain controller that holds the PDC FSMO role?”

This is a wonderful question to pose and there are very good reasons why this should be done:

If you decide to move the PDC emulator role to another domain controller, you do not want to have to go through the trouble of making all of the registry changes again.

If the PDC emulator fails, and you have to bring up a new server, you may forget to add the settings back, resulting in a time sync issue in your domain.

We have a feature in Group Policy to help us that you may have read about on this blog, and that is WMI filtering.

Windows Management Instrumentation (WMI) is a powerful feature in Windows that we can leverage to provide us very detailed information about computers in our environment. We can use WMI via a script to remotely manage machines, as well as gather information about machines in our domain for inventory purposes.

The main reason why I have brought this feature up is that we can provide an additional layer of filtering for Group Policy application using WMI.

We can configure a GPO on the domain controller OU for our W32Time settings to configure the authoritative time server, but instead of using security filtering and explicitly securing it for the domain controller that has the PDC emulator role; WMI filtering can be used instead. It is important to state here before continuing is that WMI filtering will only work with computers running Windows XP/Windows Server 2003 and later. That means that you cannot use WMI filtering with Windows 2000.

Below is an example:

The domain I configure this policy on is Windows Server 2003, but the same applies to Windows Server 2008 as well. I am also using Group Policy Management Console (GPMC) which can be downloaded from here. For those of you who are using Windows Vista you can get GPMC by downloading the Microsoft Remote Server Administration Tools (RSAT).

First I will create my WMI filter:

The next part is me adding my query:

In the above image I added the following query:

Select * from Win32_ComputerSystem where DomainRole = 5

You can use WMIC to verify the current value of the DomainRole property. This can be a helpful way to get a sanity check on the value to make sure the filtering will achieve the desired result.

To view the DomainRole value locally:

wmic computersystem get domainrole

To view the DomainRole value remotely (where M1 is the remote computer):

wmic /node:”M1” computersystem get domainrole

In WMI we break up the various components of the OS and actual machine into classes. The Win32_ComputerSystem class is for computers running a Windows OS. Have a look at the following MSDN link for this class as well as other WMI classes:

The Win32_ComputerSystem class has a lot of methods that can used in scripting as well as filtering for Group Policy but for the purposes of this post we will focus on the DomainRole:

From the MSDN website:

DomainRole

Role of a computer in an assigned domain workgroup. A domain workgroup is a collection of computers on the same network. For example, a DomainRole property may show that a computer is a member workstation. This property is inherited from CIM_ManagedSystemElement.

Value

Meaning

0

Standalone Workstation

1

Member Workstation

2

Standalone Server

3

Member Server

4

Backup Domain Controller

5

Primary Domain Controller

As you can see from the above chart 5 means Primary Domain Controller. So the query, Select * from Win32_ComputerSystem where DomainRole = 5, means select a machine whose DomainRole is 5, Primary Domain Controller. For those of you who would like to create a Windows Time GPO for all the other domain controllers you would just change it to DomainRole=4.

At the end what I have just accomplished is that the Authoritative Time Server GPO will only apply to the domain controller who holds the PDC emulator FSMO role. By configuring the policy in this fashion, I can transfer the PDC role to any domain controller and the policy will follow the role. Also, if the PDC fails and I bring up a new domain controller and seize the PDC emulator role to the new domain controller, the policy will apply on the next policy refresh or by forcing a group policy refresh.

I hope that you have learned a little more on how powerful WMI Filters are and how they can be leveraged to apply Group Policies based on a WMI Filter.

I have a GPO which forces my clients and member servers to use my PDC emulator as I time source with the NTP method. I have then configured my PDC to look to an external time source.

I have been told that I don't have to create and apply the GPO at all and that simply pointing the PDC to an external source will work. Is this so as the default behaviour did not seem to be working?

If I don't need the GPO and simply remove it will the clients and member servers then fall back to the default MS method or is there somethng else I should do. Someone mentioned I may need to do a "w32tm /config /syncfromflags:domhier /update" all the non-DC machines.

If you configured the settings for the PDC role according to the above article WITHOUT manually configuring the settings, then no you do not have to do anything when the PDC role moves to another DC. The old PDC will revert back to the NT5DS settings as normal.

SEE BELOW FOR ADDITIONAL INFO TO ANSWER BROONIE27

Now your question Broonie:

If you have configured a GPO to configure your client machines for NTP settings (pointing them to your PDC) and you have NOT manually configured your clients, then when the policy is removed the client machines will revert back to the normal domain hierarchy settings and you do not have to configure anything.

Why would you not have to change anything?

When you create a policy, the settings are configured in the following location (which does take precendece over the next location):

HKLM/Software/Policies/Microsoft/Windows/W32time (the W32time key is created with the policy)

When the policy is removed, then this key is also removed

The other location that is the default is:

HKLM/System/CurrentControlSet/Services/W32time

Providing that you both have not changed the default settings in the location above (under the services key), simply removing the policy, or leaving the old PDC alone will be fine. The defaults will take place again in both scenarios.

please correct me if iam wrong ,simply if i had 2008 DC and i need to make all PCs in all branches update the time from the DC just i need to configure NTP policy ? or i need additional configuration ?